TCP Ports Needed for Communication to SQL Server Through a Firewall

SQL Server is a Winsock application that communicates over TCP/IP using the sockets network library. The SQL Server listens for incoming connections on a particular port; the default port for SQL Server is 1433. The port doesn't need to be 1433, but 1433 is the official Internet Assigned Number Authority (IANA) socket number for SQL Server.

A client application communicates to SQL Server using the client-side network library Dbmssocn.dll (or Dbnetlib.dll for SQL Server 2000) and any client using Microsoft Data Access Components (MDAC) 2.6.

When the client establishes a TCP/IP connection, a three-way handshake is done. The client opens a source port and sends traffic to a destination port, which by default is 1433. The client source port in use is random, but is greater than 1024. By default, when an application requests a socket from the system for an outbound call, a port between the values of 1024 and 5000 is supplied. For more information, see "Microsoft Windows 2000 TCP/IP Implementation Details" at the following Microsoft Web site: (  

The server (in this case, SQL Server) then communicates to the client by sending traffic from 1433 back to the port that the client established.

The best way to observe this behavior is to trace a client-to-server communication by using Microsoft Network Monitor or a network sniffer tool. To configure the firewall, you must allow traffic from *ANY* to 1433, and from 1433 to *ANY*, where *ANY* is a port greater than 1024.

*ANY* -> 1433
1433 -> *ANY*

In addition to using Microsoft Network Monitor, you can also use the TCP/IP Netstat utility to illustrate this. Issuing netstat -an from an MS-DOS command window produces the following results showing three established connections to SQL Server. This example uses as the IP address of SQL Server and as the client IP address. The ports opened by the client are 1746, 1748, and 1750 respectively.

Proto   Local Address          Foreign Address        State
 TCP              LISTENING

The firewall software should allow this dynamic allocation to occur through the use of rules. If it does, you can configure 1433 -> *ANY* established; this will dynamically open the response port after a syn followed by a syn/ack by way of a statefull packet inspection.

There is no way to limit the number of source TCP ports used for a SQL Server client to connect; this would defeat the purpose of having the client allocate a new, unused dynamic port. This is a TCP/IP standard that is defined for Winsock applications; this is not a limitation of SQL Server client communication.

In addition, a named instance of SQL Server 2000 will use a dynamic destination port by default. This port should be changed to a fixed port prior to configuring the firewall. The SQL Server Network Utility should be used to configure the destination port. See SQL Server Books Online for information on how to use the SQL Server Network Utility.

Otherwise, the client computer would need to open a random UDP port and the server UDP port 1434 will be used to send the instance name, and if the instance is clustered, the version of the SQL instance, the TCP port number that the instance is listening on, and the named pipe that the instance is using. However, if the goal is to minimize the number of ports open on the firewall, a static port number should be chosen for the default instance and any named instance. The client computers would need to be configured to connect to a particular ServerName or ServerName instance and specific port number.


Source: Microsoft


Article is closed for comments.
Powered by Zendesk